[Samba] question about winbind rid idmaping

Andrea Cucciarre' acucciarre at cloudian.com
Thu Oct 29 12:52:24 UTC 2020


My system is merely a Samba AD member (not a Samba DC).
The system is a CentOS:

# cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core)

and we are running the following Samba version:

# smbd --version
Version 4.11.2

There's no sssd running, we use only winbindd for id mapping, below my 

security = ads
workgroup = HYPERFILE
netbios name = HF-1
log file = /hyperfile/gluster-cache/logs/winbindd/1/log.%I
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config HYPERFILE : backend = rid
idmap config HYPERFILE : range = 10000-999999
log level = 5
max log size = 10000
winbind refresh tickets = Yes
winbind offline logon = true
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab
kerberos method = secrets and keytab
winbind enum groups = yes
winbind enum users = yes
client signing = yes
client use spnego = yes
template shell = /bin/bash
template homedir = /home/%U


On 10/29/2020 1:07 PM, Rowland penny via samba wrote:
> On 29/10/2020 11:56, Andrew Walker wrote:
>> Several of the idmap backends (including idmap_rid) in samba support 
>> id_type_both (the ID is both a user and a group). This is ultimately 
>> needed for accurately producing Windows-style behavior regarding 
>> permissions (where a group can be the owner of a file). Without 
>> knowing the details of the ACL module, the best path forward would be 
>> for you to figure out how to maintain windows-like behavior.
> The only place that I have found id_type_both to be used, is in 
> idmap.ldb on a Samba AD DC. Windows behaviour is for a group to be 
> able to own files. Unix has no such concept, but it is possible for a 
> user & a group to have the same name, this is not possible on Windows.
> We need more info to diagnose this problem.
> Rowland

More information about the samba mailing list